-
Hi. They apparently have a vast amount of IPs that are part of this attack, and they are targeting a specific domain name, which our server only serves as a secondary MX for. So we need to figure out what regex to use which will ban every single attempt at logging in to «user@example.com», where the regexp should match the domain name, but not the username part. A sample log line from /var/log/auth.log looks like this: Does anyone have an idea on a failregex that matches every attempt which tries to login to an «example.com» email address? I have been trying for 6 hours to make it work, and I'm failing. I am not good at writing regex-es so I don't really know what I'm doing… |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 9 replies
-
Well you have a bit atypical timestamp In this case it will be found as a failure with PoC (fail2ban-regex for pam-generic and dovecot filters) ...
If you want find such messages with specified domain only (or vice versa any other as some whitelisting), you can make your own jail: [wrong-domain]
logpath = /var/log/auth.log
filter =
port = 25,110,143,465,587,993,995
maxretry = 1
## (blacklist) matches only domains (example.com and other.tld):
#_wrong_domains = (?:example\.com|other\.tld)
# (whitelist) matches any domain excepting correct-domain.tld:
_wrong_domains = (?!correct-domain\.tld\s)\S+
failregex = ^\s*\S+ auth\[\d+\]: pam_\S+\(dovecot:auth\): authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=[^@]*@%(_wrong_domains)s rhost=<ADDR>
enabled = true This should ban after every single attempt if domain matches something specified in _wrong_domains. |
Beta Was this translation helpful? Give feedback.
-
The «atypical» timestamp is the normal Debian timestamp. I have yet to login to a Debixn box that did Not have this timestamp format in the logs. Even my Mageia server have this timestamp format. I also see that my existing filter configs have a datepattern line. I tested your suggestion, and I cannot make even that work. I enteres it into a test.conf jail, and this was the result
So I copied the dovecot.conf filter into a new test-filter, replacing the failregex with your filter lines
Any other ideas? :-) |
Beta Was this translation helpful? Give feedback.
Well you have a bit atypical timestamp
nov. 25 18:13:43
in your example (which fail2ban would probably not find by default), so you have to specifydatepattern = %%b\. %%d %%H:%%M:%%S
.In this case it will be found as a failure with
pam-generic
ordovecot
jail (no matter with which domain).PoC (fail2ban-regex for pam-generic and dovecot filters) ...